NSS open multiple NSS-Databses at once?

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

NSS open multiple NSS-Databses at once?

Opa114-2
Hi there,

i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very helpful because the whole NSS-Stuff is not very well documented.

Thnaks in advice! :)
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Robert Relyea
On 01/08/2017 05:34 AM, Opa114 wrote:
> Hi there,
>
> i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very helpful because the whole NSS-Stuff is not very well documented.
>
> Thnaks in advice! :)

NSS does have a database format that can allow multiple applications to
open the same database at the same time, but neither Firefox nor
Thunderbird has yet moved to that database. It is possible to force them
to use this database format by setting the NSS_DEFAULT_DB_TYPE to sql.
Once they are using the same database, you will have to use symbolic
links so that the NSS databases in the separate firefox and thunderbird
point to a single database.

https://wiki.mozilla.org/NSS_Shared_DB_Howto explains how to do set up
the above.

If you have an application, you can open the shared database by passing
"sql:{shared directory path}" to the configdir parameter of the
NSS_Initxxx function you are calling to initialize NSS (where {shared
directory path} is replaced by a path to a common directory you which
your applications to share. Some recommendations for Linux based
applications can be found here:
https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX


bob



--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Opa114-2
In reply to this post by Opa114-2
thanks, but these facts i know.
I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.

I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

John Dennis
On 01/10/2017 01:18 PM, Opa114 wrote:

> thanks, but these facts i know. I don't want top let multiple
> applications open one Database, i want to open multiple different
> Mozilla databases, in the old standard format, with one (my)
> application.
>
> I tried to use the NSS_Init functions. These works with openening one
> database, but when i open a second one the whole application
> crashes,so that's why i asked the question and may be get some
> working example c++ code?
>

Our experience says you can only have 1 old style database open at a
time and you have to call nss shutdown and then open another. It's easy
for shutdown to fail because some NSS resource has not been freed,
figuring out which one is really hard. We try to track which database is
open at any given time to avoid a needless shutdown/init cycle. Overall
the experience with trying to use multiple NSS databases has been
frustratingly difficult, my advice is if you can avoid it then you're
much better off.

--
John
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Robert Relyea
In reply to this post by Opa114-2
On 01/10/2017 10:18 AM, Opa114 wrote:
> thanks, but these facts i know.
> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
>
> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
1) Where are you crashing (it's not expected to work, but I don't expect
a crash because you called NSS_Init again).

2) To open additional databases you want to use SECMOD_OpenUserDB:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB

You can call that multiple times.
Once the database is opened any of the NSS find functions will find all
the certs in both databases. The slot returned from SECOMD_OpenUserDB
can be used in functions that take a slot to narrow the operations just
to that particular database.

To NSS each database will look basically like a smart card.

When you are through with that database you can use SECMOD_CloseUserDB()

bob


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

John Dennis
On 01/10/2017 04:23 PM, Robert Relyea wrote:
> 2) To open additional databases you want to use SECMOD_OpenUserDB:

Bob, is SECMOD_OpenUserDB new?

--
John
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Opa114-2
In reply to this post by Opa114-2
Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:

> On 01/10/2017 10:18 AM, Opa114 wrote:
> > thanks, but these facts i know.
> > I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
> >
> > I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
> 1) Where are you crashing (it's not expected to work, but I don't expect
> a crash because you called NSS_Init again).
>
> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
>
> You can call that multiple times.
> Once the database is opened any of the NSS find functions will find all
> the certs in both databases. The slot returned from SECOMD_OpenUserDB
> can be used in functions that take a slot to narrow the operations just
> to that particular database.
>
> To NSS each database will look basically like a smart card.
>
> When you are through with that database you can use SECMOD_CloseUserDB()
>
> bob


thanks for reply. Here are first some little code of which did not work, that means it crashes:

functionLoadFirefox() {
SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
NSS_Shutdown();
}

functionLoadThunderbird() {
SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
NSS_Shutdown();
}

So these are my two functions in which i opened and clos the databases and retrieve the certificates.

--> 2) To open additional databases you want to use SECMOD_OpenUserDB
So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?

--> Once the database is opened any of the NSS find functions will find all the certs in both databases
But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Robert Relyea
In reply to this post by John Dennis
On 01/10/2017 01:40 PM, John Dennis wrote:
> On 01/10/2017 04:23 PM, Robert Relyea wrote:
>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>
> Bob, is SECMOD_OpenUserDB new?
>
No, it's been around for quite some time.


bob

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Robert Relyea
In reply to this post by Opa114-2
On 01/10/2017 02:07 PM, Opa114 wrote:

> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
>> On 01/10/2017 10:18 AM, Opa114 wrote:
>>> thanks, but these facts i know.
>>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
>>>
>>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
>> 1) Where are you crashing (it's not expected to work, but I don't expect
>> a crash because you called NSS_Init again).
>>
>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>>
>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
>>
>> You can call that multiple times.
>> Once the database is opened any of the NSS find functions will find all
>> the certs in both databases. The slot returned from SECOMD_OpenUserDB
>> can be used in functions that take a slot to narrow the operations just
>> to that particular database.
>>
>> To NSS each database will look basically like a smart card.
>>
>> When you are through with that database you can use SECMOD_CloseUserDB()
>>
>> bob
>
> thanks for reply. Here are first some little code of which did not work, that means it crashes:
>
> functionLoadFirefox() {
> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> NSS_Shutdown();
> }
>
> functionLoadThunderbird() {
> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> NSS_Shutdown();
> }
>
> So these are my two functions in which i opened and clos the databases and retrieve the certificates.
So the certs you got from the first call is likely preventing
NSS_Shutdown from completing. The certs hold references to the
respective slots. Those references prevent NSS_Shutdown from closing
completely. The will prevent the second NSS_Init from succeeding, so you
probably crash in your second shutdown. You can detect this happened by
looking at the return value from NSS_Shutdown().
>
> --> 2) To open additional databases you want to use SECMOD_OpenUserDB
> So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
You can either use NSS_Init with no database and then call
SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
and then call SECMOD_OpenUserDB with the other.
>
> --> Once the database is opened any of the NSS find functions will find all the certs in both databases
> But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
The slot the database can be found in the cert->slot entry, but this
will only give you ONE of the slots the cert lives in. If a cert exists
in both databases, it will have a single entry on the list and be
"somewhat" random which slot is listed (If you open one database with
NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
with SECMOD_OpenUserDB() will be the slot that shows up.

To fix this issue, there's a function called PK11_GetAllSlotsForCert()
which returns a slotList and will return all the slots that hold this
cert. The slots map one for one to the databases you opened (or any
smart cards you have loaded). You can control the 'tokenName' of each
slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
can get the token name with PK11_GetTokenName() on each slot on the list..

You could also use PK11_ListCertsInSlot() which takes a slot
(SECMOD_OpenUserDB() will return a slot for you) and lists only those
certs in that slot.

Be sure to free all these things once you are through with them, or your
shutdown will fail at the end again.


bob


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Julien Pierre-3
In reply to this post by Robert Relyea
I think the main restriction you are likely to run into is with trust.

You can likely explain how this works far better than I can, but I think
essentially, you can't treat your multiple cert/key databases as
entirely separate for purposes of trust. Ie. if you try to trust one CA
in one DB/slot and not trust it in another DB/slot, you won't actually
be able to do that. I think pkcs11.txt will dictate where trust actually
ends up getting stored. But there will be one one value of trust flags
per cert per process at a time.

So, op should make sure the limitations with trust are understood before
trying to use this call. IMO, it's a big can of worms. Like John, I
would also recommend avoiding the use of multiple DBs per process. We
didn't go all the way and did not implement multiple trust domains,
which would be needed to accomplish true separation of trust.

Ideally, NSS should support multiple, completely separate
initializations per process, without any shared state between them. But
it wasn't designed that way. I think this could be fixed for the upper
layers like libnss/libssl/libsmime .

It is more difficult to fix for the lower layers, especially PKCS#11,
unless the different trust domains have no overlapping PKCS#11 shared
libs in common . I don't think the PKCS#11 semantics allow for multiple
independent states within one shared lib. So this would likely need to
be an extension of the spec.

Julien


On 1/10/2017 3:24 PM, Robert Relyea wrote:

> On 01/10/2017 01:40 PM, John Dennis wrote:
>> On 01/10/2017 04:23 PM, Robert Relyea wrote:
>>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>>
>> Bob, is SECMOD_OpenUserDB new?
>>
> No, it's been around for quite some time.
>
>
> bob
>

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Opa114-2
In reply to this post by Opa114-2
Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea:

> On 01/10/2017 02:07 PM, Opa114 wrote:
> > Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
> >> On 01/10/2017 10:18 AM, Opa114 wrote:
> >>> thanks, but these facts i know.
> >>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
> >>>
> >>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
> >> 1) Where are you crashing (it's not expected to work, but I don't expect
> >> a crash because you called NSS_Init again).
> >>
> >> 2) To open additional databases you want to use SECMOD_OpenUserDB:
> >>
> >> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
> >>
> >> You can call that multiple times.
> >> Once the database is opened any of the NSS find functions will find all
> >> the certs in both databases. The slot returned from SECOMD_OpenUserDB
> >> can be used in functions that take a slot to narrow the operations just
> >> to that particular database.
> >>
> >> To NSS each database will look basically like a smart card.
> >>
> >> When you are through with that database you can use SECMOD_CloseUserDB()
> >>
> >> bob
> >
> > thanks for reply. Here are first some little code of which did not work, that means it crashes:
> >
> > functionLoadFirefox() {
> > SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
> > ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> > NSS_Shutdown();
> > }
> >
> > functionLoadThunderbird() {
> > SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
> > ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> > NSS_Shutdown();
> > }
> >
> > So these are my two functions in which i opened and clos the databases and retrieve the certificates.
> So the certs you got from the first call is likely preventing
> NSS_Shutdown from completing. The certs hold references to the
> respective slots. Those references prevent NSS_Shutdown from closing
> completely. The will prevent the second NSS_Init from succeeding, so you
> probably crash in your second shutdown. You can detect this happened by
> looking at the return value from NSS_Shutdown().
> >
> > --> 2) To open additional databases you want to use SECMOD_OpenUserDB
> > So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
> You can either use NSS_Init with no database and then call
> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
> and then call SECMOD_OpenUserDB with the other.
> >
> > --> Once the database is opened any of the NSS find functions will find all the certs in both databases
> > But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
> The slot the database can be found in the cert->slot entry, but this
> will only give you ONE of the slots the cert lives in. If a cert exists
> in both databases, it will have a single entry on the list and be
> "somewhat" random which slot is listed (If you open one database with
> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
> with SECMOD_OpenUserDB() will be the slot that shows up.
>
> To fix this issue, there's a function called PK11_GetAllSlotsForCert()
> which returns a slotList and will return all the slots that hold this
> cert. The slots map one for one to the databases you opened (or any
> smart cards you have loaded). You can control the 'tokenName' of each
> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
> can get the token name with PK11_GetTokenName() on each slot on the list..
>
> You could also use PK11_ListCertsInSlot() which takes a slot
> (SECMOD_OpenUserDB() will return a slot for you) and lists only those
> certs in that slot.
>
> Be sure to free all these things once you are through with them, or your
> shutdown will fail at the end again.
>
>
> bob

thanks again for the detailed explanation, that helps me a lot - many thanks!

--> So the certs you got from the first call is likely preventing
NSS_Shutdown from completing.....
So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too.
Can you give me some more details to my piece of code or in general how to free the things correctly?

So if it will be better to open the two or more databases but successively and not at the same time as i wanted to do it. Would this be the better working solution. The only thing is that i then must reopen and shutdown the databses multiple times if needed.

And did i understand it right, that i can use SECMOD_OpenUserDB() and SECMOD_CloseUserDB() to open and close the databases instead of using NSS_Init() and NSS_Shutdown()? The SECMOD-functions do call them internal or? Or does it not matter which of the functions i use?

--> ... if you try to trust one CA in one DB/slot and not trust it in another DB/slot, you won't actually be able to do that
This is extremely bad, because i have to maybe change the Trust-Status of some Certificates.

So in conclusion for my needs it would be the way to open each database separately and successively?
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

John Dennis
On 01/11/2017 03:21 AM, Opa114 wrote:

> Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea:
>> On 01/10/2017 02:07 PM, Opa114 wrote:
>>> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
>>>> On 01/10/2017 10:18 AM, Opa114 wrote:
>>>>> thanks, but these facts i know.
>>>>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
>>>>>
>>>>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
>>>> 1) Where are you crashing (it's not expected to work, but I don't expect
>>>> a crash because you called NSS_Init again).
>>>>
>>>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
>>>>
>>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
>>>>
>>>> You can call that multiple times.
>>>> Once the database is opened any of the NSS find functions will find all
>>>> the certs in both databases. The slot returned from SECOMD_OpenUserDB
>>>> can be used in functions that take a slot to narrow the operations just
>>>> to that particular database.
>>>>
>>>> To NSS each database will look basically like a smart card.
>>>>
>>>> When you are through with that database you can use SECMOD_CloseUserDB()
>>>>
>>>> bob
>>>
>>> thanks for reply. Here are first some little code of which did not work, that means it crashes:
>>>
>>> functionLoadFirefox() {
>>> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
>>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
>>> NSS_Shutdown();
>>> }
>>>
>>> functionLoadThunderbird() {
>>> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
>>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
>>> NSS_Shutdown();
>>> }
>>>
>>> So these are my two functions in which i opened and clos the databases and retrieve the certificates.
>> So the certs you got from the first call is likely preventing
>> NSS_Shutdown from completing. The certs hold references to the
>> respective slots. Those references prevent NSS_Shutdown from closing
>> completely. The will prevent the second NSS_Init from succeeding, so you
>> probably crash in your second shutdown. You can detect this happened by
>> looking at the return value from NSS_Shutdown().
>>>
>>> --> 2) To open additional databases you want to use SECMOD_OpenUserDB
>>> So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
>> You can either use NSS_Init with no database and then call
>> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
>> and then call SECMOD_OpenUserDB with the other.
>>>
>>> --> Once the database is opened any of the NSS find functions will find all the certs in both databases
>>> But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
>> The slot the database can be found in the cert->slot entry, but this
>> will only give you ONE of the slots the cert lives in. If a cert exists
>> in both databases, it will have a single entry on the list and be
>> "somewhat" random which slot is listed (If you open one database with
>> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
>> with SECMOD_OpenUserDB() will be the slot that shows up.
>>
>> To fix this issue, there's a function called PK11_GetAllSlotsForCert()
>> which returns a slotList and will return all the slots that hold this
>> cert. The slots map one for one to the databases you opened (or any
>> smart cards you have loaded). You can control the 'tokenName' of each
>> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
>> can get the token name with PK11_GetTokenName() on each slot on the list..
>>
>> You could also use PK11_ListCertsInSlot() which takes a slot
>> (SECMOD_OpenUserDB() will return a slot for you) and lists only those
>> certs in that slot.
>>
>> Be sure to free all these things once you are through with them, or your
>> shutdown will fail at the end again.
>>
>>
>> bob
>
> thanks again for the detailed explanation, that helps me a lot - many thanks!
>
> --> So the certs you got from the first call is likely preventing
> NSS_Shutdown from completing.....
> So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too.
> Can you give me some more details to my piece of code or in general how to free the things correctly?

Yes, you have to make sure NSS_Shutdown*() returns without an error, if
it doesn't the next NSS_init* won't work. You can test for whether NSS
is still in an initialized state with  NSS_IsInitialized(). If NSS does
not shutdown successfully it's because of dangling references, finding
out who is holding on to these is the tricky part. Calling
NSS_DumpCertificateCacheInfo() *may* give you enough addition
information to figure that out. In the past I've had to resort to
running the process under GDB and step through code and data structures
to figure it out. How hard this is is really a reflection of the
complexity of your application code. In our case it was pretty complex.
If your code is simple and clean it may be a total non-issue, YMMV.

>
> So if it will be better to open the two or more databases but successively and not at the same time as i wanted to do it. Would this be the better working solution. The only thing is that i then must reopen and shutdown the databses multiple times if needed.

Yes, it's better for successive single databases than multiple
simultaneous IMHO.

> And did i understand it right, that i can use SECMOD_OpenUserDB() and SECMOD_CloseUserDB() to open and close the databases instead of using NSS_Init() and NSS_Shutdown()? The SECMOD-functions do call them internal or? Or does it not matter which of the functions i use?
>
> --> ... if you try to trust one CA in one DB/slot and not trust it in another DB/slot, you won't actually be able to do that
> This is extremely bad, because i have to maybe change the Trust-Status of some Certificates.
>
> So in conclusion for my needs it would be the way to open each database separately and successively?
>


--
John
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: NSS open multiple NSS-Databses at once?

Opa114-2
In reply to this post by Opa114-2
Am Mittwoch, 11. Januar 2017 14:23:45 UTC+1 schrieb John Dennis:

> On 01/11/2017 03:21 AM, Opa114 wrote:
> > Am Mittwoch, 11. Januar 2017 00:45:45 UTC+1 schrieb Robert Relyea:
> >> On 01/10/2017 02:07 PM, Opa114 wrote:
> >>> Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea:
> >>>> On 01/10/2017 10:18 AM, Opa114 wrote:
> >>>>> thanks, but these facts i know.
> >>>>> I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application.
> >>>>>
> >>>>> I tried to use the NSS_Init functions. These works with openening one database, but when i open a second one the whole application crashes,so that's why i asked the question and may be get some working example c++ code?
> >>>> 1) Where are you crashing (it's not expected to work, but I don't expect
> >>>> a crash because you called NSS_Init again).
> >>>>
> >>>> 2) To open additional databases you want to use SECMOD_OpenUserDB:
> >>>>
> >>>> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Functions#SECMOD_OpenUserDB
> >>>>
> >>>> You can call that multiple times.
> >>>> Once the database is opened any of the NSS find functions will find all
> >>>> the certs in both databases. The slot returned from SECOMD_OpenUserDB
> >>>> can be used in functions that take a slot to narrow the operations just
> >>>> to that particular database.
> >>>>
> >>>> To NSS each database will look basically like a smart card.
> >>>>
> >>>> When you are through with that database you can use SECMOD_CloseUserDB()
> >>>>
> >>>> bob
> >>>
> >>> thanks for reply. Here are first some little code of which did not work, that means it crashes:
> >>>
> >>> functionLoadFirefox() {
> >>> SECStatus rv = NSS_InitReadWrite(PATH_TO_FF_DB);
> >>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> >>> NSS_Shutdown();
> >>> }
> >>>
> >>> functionLoadThunderbird() {
> >>> SECStatus rv = NSS_InitReadWrite(PATH_TO_TB_DB);
> >>> ... if success load Certificates with PK11_ListCerts(PK11CertListAll, NULL);
> >>> NSS_Shutdown();
> >>> }
> >>>
> >>> So these are my two functions in which i opened and clos the databases and retrieve the certificates.
> >> So the certs you got from the first call is likely preventing
> >> NSS_Shutdown from completing. The certs hold references to the
> >> respective slots. Those references prevent NSS_Shutdown from closing
> >> completely. The will prevent the second NSS_Init from succeeding, so you
> >> probably crash in your second shutdown. You can detect this happened by
> >> looking at the return value from NSS_Shutdown().
> >>>
> >>> --> 2) To open additional databases you want to use SECMOD_OpenUserDB
> >>> So this means. First i have to call NSS_Init with let's say firefox database ad the i have to call SECMOD_OpenUserDB with the thudnerbirddatabse, right? Or must i load both with the SECMOD_OpenUserDB?
> >> You can either use NSS_Init with no database and then call
> >> SECMOD_OpenUserDB() for both, or you can call NSS_Init with one database
> >> and then call SECMOD_OpenUserDB with the other.
> >>>
> >>> --> Once the database is opened any of the NSS find functions will find all the certs in both databases
> >>> But i have to know from which databse the certificates are coming from. So i need to know that let's say Certificate ABC ist stored inside Firefox Databse and Certificate 123 is stored in Thunerbird Database. How can i do that? or is this not possible?
> >> The slot the database can be found in the cert->slot entry, but this
> >> will only give you ONE of the slots the cert lives in. If a cert exists
> >> in both databases, it will have a single entry on the list and be
> >> "somewhat" random which slot is listed (If you open one database with
> >> NSS_Init and the second with SECMOD_OpenUserDB() then the one you opened
> >> with SECMOD_OpenUserDB() will be the slot that shows up.
> >>
> >> To fix this issue, there's a function called PK11_GetAllSlotsForCert()
> >> which returns a slotList and will return all the slots that hold this
> >> cert. The slots map one for one to the databases you opened (or any
> >> smart cards you have loaded). You can control the 'tokenName' of each
> >> slot with the string arguments you pass to SECMOD_OpenUserDB(), and you
> >> can get the token name with PK11_GetTokenName() on each slot on the list..
> >>
> >> You could also use PK11_ListCertsInSlot() which takes a slot
> >> (SECMOD_OpenUserDB() will return a slot for you) and lists only those
> >> certs in that slot.
> >>
> >> Be sure to free all these things once you are through with them, or your
> >> shutdown will fail at the end again.
> >>
> >>
> >> bob
> >
> > thanks again for the detailed explanation, that helps me a lot - many thanks!
> >
> > --> So the certs you got from the first call is likely preventing
> > NSS_Shutdown from completing.....
> > So when i free the used stuff i can close the database correctly, so that i can open the second one. If i can close the first one correctly and NSS shuts down i should be able to open the second one, too.
> > Can you give me some more details to my piece of code or in general how to free the things correctly?
>
> Yes, you have to make sure NSS_Shutdown*() returns without an error, if
> it doesn't the next NSS_init* won't work. You can test for whether NSS
> is still in an initialized state with  NSS_IsInitialized(). If NSS does
> not shutdown successfully it's because of dangling references, finding
> out who is holding on to these is the tricky part. Calling
> NSS_DumpCertificateCacheInfo() *may* give you enough addition
> information to figure that out. In the past I've had to resort to
> running the process under GDB and step through code and data structures
> to figure it out. How hard this is is really a reflection of the
> complexity of your application code. In our case it was pretty complex.
> If your code is simple and clean it may be a total non-issue, YMMV.
>
> >
> > So if it will be better to open the two or more databases but successively and not at the same time as i wanted to do it. Would this be the better working solution. The only thing is that i then must reopen and shutdown the databses multiple times if needed.
>
> Yes, it's better for successive single databases than multiple
> simultaneous IMHO.
>
> > And did i understand it right, that i can use SECMOD_OpenUserDB() and SECMOD_CloseUserDB() to open and close the databases instead of using NSS_Init() and NSS_Shutdown()? The SECMOD-functions do call them internal or? Or does it not matter which of the functions i use?
> >
> > --> ... if you try to trust one CA in one DB/slot and not trust it in another DB/slot, you won't actually be able to do that
> > This is extremely bad, because i have to maybe change the Trust-Status of some Certificates.
> >
> > So in conclusion for my needs it would be the way to open each database separately and successively?
> >
>
>
> --
> John

thanks John for the explanation. I will try it this way when i have tim to test it again :/
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Loading...